The Data Encryption Standard (DES) has been used for several decades, but it is currently near the end of its useful life. Shown in FIGS. 1A and 1B are block diagrams depicting the operation of DES to encrypt and decrypt, respectively. DES is a Feistel cipher that processes plaintext blocks of n=64 bits, producing 64-bit cipher text blocks. As shown in FIG. 1A, plaintext message P 102 is passed through a DES encryption algorithm E 108 by application of a 56-bit key K104 used to generate ciphertext C 106. Note that K 104 is 56-bits in length, however, the input key K 104 is a 64-bit key with 8 parity bits. Thus, the work factor of key K 104 is 256 and not 264. The complementary decryption is shown in FIG. 1B wherein ciphertext C 106 is passed through a DES decryption algorithm D 112 by application of key K 104 which generates the original plaintext P 102.
With the useful life of DES near an end, triple DES (3DES) is seen as the choice for the near term future. The documents FIPS 46-3 and FIPS 81 describe 3DES and DES and are herein incorporated by reference for all purposes. With an understanding of DES, 3DES can readily be understood as the multiple application of various single DES algorithms as shown in FIG. 2 AD. As shown, plaintext message P 202 is passed through a DES encryption algorithm E 204 by application of a 56-bit key KL 206 to generate a first intermediate ciphertext result c′ 208. Such first intermediate ciphertext result is then passed through a DES decryption algorithm D 210 by application of KR 212 to generate a second intermediate ciphertext result c″ 214. Such second intermediate ciphertext result is then passed through a DES encryption algorithm E 216 by application of key KL 206 to generate the ciphertext C 218. The three-stage operation of FIG. 2A is summarized in FIG. 2B. As shown, the plaintext message P 202 is passed through a 3DES encryption algorithm 3E 230 by application of keys KL 206 and KR 212 to generate ciphertext 218. The complementary 3DES decryption is shown in FIG. 2C as a sequential operation of DES decryption D 220, encryption E 222 and decryption D 224 to transform ciphertext C 218 into plaintext P 202 using keys KL 206 and KR 212. The three stage algorithm of FIG. 2C is summarized in FIG. 2D as the input of ciphertext C 218, and keys KL 206 and KR 212 to 3DES decryption algorithm 3D 232 to generate plaintext P 202.
Today's secure financial network environment is unique in that it is at a transition point where single DES systems are phasing out and being replaced by 3DES implementations and eventually other algorithms. One such new algorithm is the Advanced Encryption Standard (AES) which has been accepted as a standard and will be introduced into the market in coming years. The document FIPS 197 describes AES and is herein incorporated by reference for all purposes.
The phasing out of single DES is being done because it has been demonstrated that an exhaustive search of the 256 DES key space can be done in about 22 hours or less. The key space for 3DES is at least 2112, which is 256 times larger than the single DES key search. Thus, one who implements 3DES should expect to get 3DES security as well as 3DES functionality. Furthermore, one who implements 3DES should expect no less than a 2112 exhaustive search in order to uncover the 3DES keys. Namely, security of the 3DES keys, KL and KR, should be commensurate with the security of 3 DES encryption and should, likewise, have a work factor of no less than 2112.
Shown in FIG. 3 is a cryptographic system 300 wherein an acquiring host 302 within cryptographic system receives cryptographic tasks from a point of sale (POS) network 304, an automatic teller machine (ATM) network 306 and a switch host system 308. As shown, cryptographic system 300 includes acquiring host 302 security module 310 and database 312. Notable within security system 300 is that security module 310 resides within a security boundary 314. Within security boundary 314, keys may exist without encryption (i.e., clear keys), but outside of security boundary 314, such as within acquiring host 302 or database 312, keys must be encrypted. As shown for cryptographic system 300, a master file key (MFK) 320 is implemented. Thus, when security module 310 passes keys from within security boundary 314 to locations outside security boundary 314, security module 310 first encrypts the keys using MEK 320. Thus, within acquiring host 302 and database 312 keys (K) exist as encrypted keys, e.g., EMFK(K)). In a single DES implementation, the MFK algorithm is typically a single DES algorithm. Moreover, when communicating keys beyond cryptographic system 300 (e.g. to POS or ATM networks), keys may be encrypted in a similar manner with a key exchange key (e.g., EKEK(K)).
In implementing 3DES systems, however, current schemes for encrypting keys outside of security boundary 314 do not produce the required level of security for the keys. For example, the ANSI X9.24 standard, herein incorporated by reference for all purposes, recommends implementing 3DES key encryption in electronic code book (ECB) mode. See ANSI X9.17 standard and ANSI X9.71 standard, incorporated herein by reference for all purposes, for examples of other key blocks. This, however, increases the work factor by only 2 to an exhaustive search work factor of 2×256=257. This is far less than the required 2112 work factor for implementations of 3DES.
Specifically, in implementing the ECB mode for 3DES, the MFK is used in a 3DES algorithm thus providing a 2112 work factor. The MEK is used to individually encrypt the two keys, KL and KR, for a 3DES implementation. Detrimentally, the individually encrypted keys are then stored, many times side-by-side, in a database. Thus, although an adversary cannot attack the MFK algorithm directly as it has a 2112 work factor, an adversary can attack the individually stored keys. It has been shown that an adversary could determine each of KL and KR with a work factor of 256, thus the combined work factor is only 257, an unacceptable level of security for 3DES. A white paper by Hopkins et. al, entitled “A Secure Keyblock for Storage. Transmission, and Control of Cryprogrophic Keys in a High Performance Server Environment,” herein incorporated by reference for all purposes, provides several examples of how improper implementation of 3DES can be attacked. Table 1, below, summaries the susceptibility of various modes when used to protect key blocks as indicated by their work factor,
TABLE 1Triple DES ModeAttack as Described inWork Factor to RecoverUsing MFKWhite PaperDES KeyECBMeet in the Middle2112 with 256 key tableAny ModeTurn Security ModuleNo Work FactorAgainst ItselfECBC1, C42 × 256CBCIV1, C1, C42 × 256
It is apparent from the table that all prior art DES modes have some susceptibility to manipulation and modification by an adversary. This suggests, the integrity of the ciphertext key must be better maintained.
Thus, there exists a need for a key protection system and method that can support a cryptographic algorithm such as 3DES without compromising the algorithm's associated work factor. Furthermore, it is desirable that those that implement cryptographic systems and their service providers have a clear and common understanding of the basic design and implementation objective of a secure cryptographic system. In implementing such a system and method, a method assuring the integrity of all keys used in the system should be adopted.